Error: sensitive values in state file are not masked properly
I’m configuring Genesys Cloud instances via the genesyscloud Terraform provider to automate our quality evaluation infrastructure. Specifically, I need to register OAuth clients that will be used by external scoring engines to authenticate against the Quality API (/api/v2/quality/evaluations).
The problem is straightforward but dangerous. When I define the genesyscloud_oauth_client resource, the client_secret attribute is being stored in plaintext within the .tfstate file. Even after running terraform state replace-provider or using the sensitive = true flag on the variable, the secret persists in the state file in plain text when I inspect the raw JSON output or diff the state.
Here is the resource definition I am using:
resource "genesyscloud_oauth_client" "quality_scoring_client" {
name = "Quality Scoring Engine"
grant_types = ["client_credentials"]
# Attempting to mask this
client_secret = var.oauth_client_secret
redirect_uris = ["https://internal.scoring.engine/callback"]
}
And the variable definition:
variable "oauth_client_secret" {
type = string
sensitive = true
}
I have tried using terraform state rm to exclude the resource, but that breaks the dependency graph for the downstream webhook configuration that references this client ID. I also attempted to use the external data source to generate the secret outside of Terraform, but the genesyscloud_oauth_client resource requires the secret at creation time and does not support an import strategy that omits the secret from state.
I need a method to manage these OAuth credentials without them residing in the state file, especially since our state is stored in a shared S3 bucket with standard IAM controls. The sensitive flag only masks output during plan and apply, it does not encrypt or remove the value from the state file itself.
How do I configure the genesyscloud_oauth_client resource or the Terraform state backend to prevent the client_secret from being written to the state file in plaintext?